-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
permission: fix spawnSync permission check #46975
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Please also include:
Fixes: https://github.com/nodejs-private/node-private/issues/394
41d0d74
to
693b833
Compare
Fixes: nodejs-private/node-private#394 Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
693b833
to
67f3bce
Compare
Fast-track has been requested by @RafaelGSS. Please 👍 to approve. |
Requesting fast-track because I'll work on the v19.8.0 proposal tomorrow and we need to have this patch. |
Commit Queue failed- Loading data for nodejs/node/pull/46975 ✔ Done loading data for nodejs/node/pull/46975 ----------------------------------- PR info ------------------------------------ Title permission: fix spawnSync permission check (#46975) Author Rafael Gonzaga (@RafaelGSS) Branch RafaelGSS:fix/add-permission-spawn-check -> nodejs:main Labels child_process, c++, fast-track, needs-ci Commits 1 - permission: fix spawnSync permission check Committers 1 - RafaelGSS PR-URL: https://github.com/nodejs/node/pull/46975 Fixes: https://github.com/nodejs-private/node-private/issues/394 Reviewed-By: Colin Ihrig Reviewed-By: Anna Henningsen ------------------------------ Generated metadata ------------------------------ PR-URL: https://github.com/nodejs/node/pull/46975 Fixes: https://github.com/nodejs-private/node-private/issues/394 Reviewed-By: Colin Ihrig Reviewed-By: Anna Henningsen -------------------------------------------------------------------------------- ⚠ Commits were pushed since the last review: ⚠ - permission: fix spawnSync permission check ℹ This PR was created on Mon, 06 Mar 2023 16:46:11 GMT ✔ Approvals: 2 ✔ - Colin Ihrig (@cjihrig) (TSC): https://github.com/nodejs/node/pull/46975#pullrequestreview-1326742875 ✔ - Anna Henningsen (@addaleax): https://github.com/nodejs/node/pull/46975#pullrequestreview-1327221779 ℹ This PR is being fast-tracked ✔ Last GitHub CI successful ℹ Last Full PR CI on 2023-03-06T22:59:26Z: https://ci.nodejs.org/job/node-test-pull-request/50242/ - Querying data for job/node-test-pull-request/50242/ ✔ Last Jenkins CI successful -------------------------------------------------------------------------------- ✔ Aborted `git node land` session in /home/runner/work/node/node/.ncuhttps://github.com/nodejs/node/actions/runs/4356000066 |
Landed in b164038 |
Fixes: nodejs-private/node-private#394 Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: #46975 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Richard Lau <rlau@redhat.com>
Maybe we should consider letting it bake on |
I don't see much value in it, at least for this particular feature. It's useful when it's a significant change or notable change being released in an LTS release. @cjihrig found the bug as a Node.js maintainer, I don't see other Node.js contributors finding it as they are unlikely to use it. Errors like this will be encountered (if any) by users and as you stated, would be fixed in a security release -- but, I don't see the baking time avoiding it though. However, if you feel strongly about the baking time of this feature, I can postpone it to v19.9.0. Just let me know. |
That's a good point. I don't feel strongly about it. I am only bringing this up because I think it is very likely that this feature will lead to vulnerability reports shortly after being released, simply because it significantly increases the attack surface and has only been reviewed by very few people so far. Letting it bake might lead to more issues like this being found that can be fixed publicly, but it might just as well be unlikely. |
Well, skipping it for v19.8.0 won't hurt. Let's release the permission model in v19.9.0 then. I will include the blocked label. |
Fixes: nodejs-private/node-private#394 Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: #46975 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Richard Lau <rlau@redhat.com>
It was missing in the original PR #44004.
Fixes: https://github.com/nodejs-private/node-private/issues/394